NetEngine AR V300R019 CLI-based Configuration Guide - Security
Example for Configuring ASPF and Port Mapping
Networking Requirements
As shown in Figure 6-23, Eth2/0/0 of the Router is connected to a highly secure internal network, and GE3/0/0 is connected to an insecure external network. The Router must filter the packets and perform ASPF check between the internal network and the external network. The following requirements must be met:
- A host (10.39.2.3) on the external network is allowed to access the servers in the internal network.
- Other hosts are not allowed to access servers on the internal network.
- The Router checks the FTP status of the connections and filters out undesired packets.
- The packets from the external host are sent to the FTP server through port 2121, which is used as the port of the FTP protocol.
Configuration Roadmap
The configuration roadmap is as follows:
Configure zones and an interzone.
Add interfaces to the zones.
Configure ACLs.
Configure ACL-based packet filtering in the interzone.
Configure ASPF in the interzone.
Map port 2121 to the FTP protocol.
Procedure
- Configure zones and an interzone on the Router .
<Huawei> system-view [Huawei] firewall zone trust [Huawei-zone-trust] priority 14 [Huawei-zone-trust] quit [Huawei] firewall zone untrust [Huawei-zone-untrust] priority 1 [Huawei-zone-untrust] quit [Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] firewall enable [Huawei-interzone-trust-untrust] quit
- Add the interfaces of Router to zones.
[Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 10.38.1.1 24 [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] zone trust [Huawei-Vlanif100] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address 10.39.2.1 24 [Huawei-GigabitEthernet3/0/0] zone untrust [Huawei-GigabitEthernet3/0/0] quit
- Configure ACLs on Router .
[Huawei] acl 2102 [Huawei-acl-basic-2102] rule permit source 10.38.1.2 0.0.0.0 [Huawei-acl-basic-2102] quit [Huawei] acl 3102 [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.2 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.3 0.0.0.0 [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.4 0.0.0.0 [Huawei-acl-adv-3102] rule deny ip [Huawei-acl-adv-3102] quit
- Configure packet filtering on Router .
[Huawei] firewall interzone trust untrust [Huawei-interzone-trust-untrust] packet-filter 3102 inbound
- Configure ASPF on the Router .
[Huawei-interzone-trust-untrust] detect aspf ftp [Huawei-interzone-trust-untrust] quit
- Configure port mapping on the Router .
[Huawei] port-mapping ftp port 2121 acl 2102
- Verify the configuration.
Run the display firewall interzone zone-name1 zone-name2 command on the Router , and the command output is as follows:
[Huawei] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound detect aspf ftp
Run the display port-mapping ftp command on the Router , and the command output is as follows:
[Huawei] display port-mapping ftp ------------------------------------------------- Service Port Acl Type ------------------------------------------------- ftp 21 system defined ftp 2121 2102 user defined ------------------------------------------------- Total number is : 2
Configuration Files
Configuration file of the Router
# vlan batch 100 # acl number 2102 rule 5 permit source 10.38.1.2 0 # acl number 3102 rule 5 permit tcp source 10.39.2.3 0 destination 10.38.1.2 0 rule 10 permit tcp source 10.39.2.3 0 destination 10.38.1.3 0 rule 15 permit tcp source 10.39.2.3 0 destination 10.38.1.4 0 rule 20 deny ip # port-mapping ftp port 2121 acl 2102 # interface Vlanif100 ip address 10.38.1.1 255.255.255.0 zone trust # firewall zone trust priority 14 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound detect aspf ftp # interface Ethernet2/0/0 port link-type access port default vlan 100 # interface GigabitEthernet3/0/0 ip address 10.39.2.1 255.255.255.0 zone untrust # return
Document ID:EDOC1100112357
Views:655630
Downloads:787
Average rating:0.0Points